Re: Having trouble hosting txt file in app

calvinmcelroy · ‎01-27-2023

Apologies if this belongs in a different location but it seemed like the best with the choices available.

I am looking to host a .txt file within my custom app that can be retrieved as a EDL (external dynamic list) by my firewall. I have been successful at building a .html document in the app's ./appserver/static/ directory. This works fine but I am concerned this will not work for an EDL. I really need it to be a .txt file (unless someone has had success with .html files and would like to share).

To be clear, this works just fine:

https://splunk.example.com:8000/en-US/static/app/example_app/edl.html

But this does not:

https://splunk.example.com:8000/en-US/static/app/example_app/edl.txt

If anybody knows how to make this work or could explain why it is not possible I would appreciate it.

Thank you,

gcusello · ‎01-27-2023

Hi @calvinmcelroy,

if it's sufficient for your EDL, you can put a txt file in the app main folder.

You can see in other apps (e.g. the Splunk Add-On for Windows9 a README.txt file in the main app folder.

Ciao.

Giuseppe

calvinmcelroy · ‎01-28-2023

@gcusello Thank you for the comment.

I do know that I could have a txt file located at the app's root directory, but I am not sure if that would achieve my desired result, but maybe there is more to it than I am aware.

Part of the functionality an EDL serves as an externally stored list of data (in this case a list of domains) that the firewall or fleet of firewalls can all access remotely at one central location, as the list changes (dynamic), the firewalls are polling the list and adjusting the policy rules/objects with the newest data in the EDL. So with that purpose, the firewalls need to be able to access the EDL file being served from some server, and the file needs to be in plain text not loaded with markup and other formatting.

Since we already leverage splunk (linux) distributed environment, maybe we could get one of the nodes (SH or HF) to also host this EDL, this would eliminate the need to stand up (maintain) another server just for this purpose, and having a local location would allow for easy modification even in the WebUI. I was envisioning a Dashboard that has a textbox input and custom button that would use a python script to add the input to the local edl.txt file and be able to do some regex validation and other checks behind the scenes without too much integration with splunk and other servers. Being all local, this would be extremely easy, but im running into the issue with the splunk appserver not being able to host my .txt file in the same way I can host a .html file.

Now if I can some how add the .txt file into the app's root directory and still access it from a web browser without authentication, that would also work perfectly. But it seems like that without the appserver, that would not be possible. Is there a way to do something like that?

gcusello · ‎01-29-2023

Hi @calvinmcelroy,

at first don't put other components on the SH, better the HF.

if you want to read the edl.txt file in Splunk, you could create a monitor input that reads the edl.txt file without reference to the location.

In inputs.conf:

[monitor://opt/splunkforwarder/edl.txt]
index = edl
sourcetype = edl
disabled = 0

Ciao.

Giuseppe

calvinmcelroy · ‎01-28-2023

I have also considered just setting up a simplehttpserver on the linux host just to host the file, and still use the dashboard idea to make additions and adjustments. This seems like a viable option, but I was hoping there is Splunk way to do this.

Is it possible to host a .txt file within my custom app that can be retrieved as a EDL by my firewall?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!